A project for converting IDS/IPS/NGFW rules into Snort 3 rules.
| License: | MIT License |
|---|
Usage
usage: snort3convert.py [-h] [--source_rule_type SOURCE_RULE_TYPE] [--output_rule_type OUTPUT_RULE_TYPE] [--SID SID] input_file output_file Program Accepts Selected rule input and converts to selected output rule type. positional arguments: input_file Full path to Source File output_file Full path for Output File optional arguments: -h, --help show this help message and exit --source_rule_type SOURCE_RULE_TYPE Source Rule OPTIONS: Suricata --output_rule_type OUTPUT_RULE_TYPE Output Rule OPTIONS: Snort3 --SID SID Starting SID value for Snort rules
To run the tool via python (installed via pip)
$ pip install snort3_conv_tools $ python -m snort3_conv_tools.snort3convert testsuricatainputrules.txt snort3rules.txt --SID 1000010 --source_rule_type SURICATA --output_rule_type SNORT
To run the tool via windows executeable (from release page)
$ snort3convert.exe suricatarules.txt snort3rules.txt --SID 1000010 --source_rule_type SURICATA --output_rule_type SNORT3
For convenience you can use the defaults
To run the short form of the above python command using defaults
$ python snort3convert.py suricatarules.txt snort3rules.txt
To run the short form of the above windows command using defaults
$ snort3convert.exe suricatarules.txt snort3rules.txt
This tool has currently been tested on the following features:
| Surricata Function Support Summary | |
|---|---|
| Feature | Support Status |
| URL | supported |
| SSH | supported |
| PCRE | supported |
| User-Agent | supported |
If you wish to contribute to expand support or simply hack away then please do!
Checkout the code:
git clone https://github.com/Cisconate/Snort3ConverterInstall Dependencies:
cd dev
pip install requirements/dev.txtInstall Dev Dependencies then:
cd docs
makeQuick and Dirty:
$ cd src/
$ python -m pytest ../tests
or
$ python -m pytest ../tests --log-cli-level DEBUG -sThe Right Way:
$ toxWe use tox. It builds virtual environments defined in tox.ini for different versions of python, then builds the installable package, then installs it, then runs the tests. It does this for all the versions you have defined and is suitable for continuous integration.
It is intentional that you cannot run a normal pytest command without PYTHONPATH
tomfoolery or calling pytest in the manner we show above for Quick and Dirty.
By not being importable it prevents a whole class of testing problems related to accidentally
getting your local dev code instead of what is installed by the package. It also forces you
in general to test installed code instead of dev code, making sure that your packaging is correct also
- Why this directory structure?
- https://blog.ionelmc.ro/2014/05/25/python-packaging/#the-structure
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent